How to provide credentials when connecting to the database from a DataStax Enterprise tool.

Defining a Kerberos scheme

Configure DataStax Enterprise nodes to use Kerberos authentication.

Prerequisites

Completely set up Kerberos for DSE nodes before turning on Kerberos authentication.
When switching authentication methods, or enabling authentication for the first time
in a production environment, DataStax recommends setting up applications to use
Kerberos tickets before restricting access to only authenticated connections. When
DSE Authenticator is disabled, the credentials portion of the connection request is
ignored. Therefore, you can pass Kerberos tickets to DSE before implementing
authentication in the environment.

The keytab file must contain the credentials for
both of the fully resolved principal names, which
replace _HOST with the FQDN of the
host in the service_principal and
http_principal settings. The UNIX
user running DataStax Enterprise must also have read
permissions on the keytab.

service_principal

Sets the principals name for the DSE database and
DSE Search (Solr) processes. Use the form
dse/_HOST@REALM, where dse is the
service name.

Leave
_HOST as is. This variable is
used in dse.yaml. DataStax
Enterprise automatically substitutes the FQDN of
the host where it runs. Credentials must exist for
this principal in the keytab file and readable by
the user that Cassandra runs as, usually
cassandra.

The
service_principal must be
consistent everywhere:

dse.yaml file

keytab

cqlshrc file (where it is
separated into the service/hostname)

http_principal

Used by the Tomcat application container to run DSE Search. The Tomcat
web server uses the GSSAPI mechanism (SPNEGO) to negotiate the GSSAPI
security mechanism (Kerberos). REALM is the name of
your Kerberos realm. In the Kerberos principal, REALM
must be uppercase.

qop

A comma-delimited list of Quality of Protection
(QOP) values that clients and servers can use for
each connection. The client can have multiple QOP
values, while the server can have only a single QOP
value. The valid values are:

Encryption using
auth-conf is separate and
independent of whether encryption is done using
SSL. If both auth-conf and SSL
are enabled, the transmitted data is encrypted
twice. DataStax recommends choosing only one
method and using it for both encryption and
authentication.

When adding a Kerberos scheme to an authentication enabled cluster, configure
Kerberos roles before restarting DSE, see Setting up logins and users.